I've just checked FF 9.0.1 and it has about 70 trusted root CA, while IE7 - only 25, but even it's 600 in other browsers, this is really a very small portion of what it could be if self-signed certs were used. I agree that trusting to all of them, even if it's only 25 is probably not a good idea. Since you've mentioned CRL, please let me know how it's addressed in the Android world and what CRL's it supports. It should be considered as a real threat if you consider:
1. The big life time span required for Android's certs 2. No good security controls for storing private keys in zillions of small companies that write apps for Android market. Even medium or big companies do not use HSM's often to implement their PKI and I'm aware about cases when private keys are stored on a developer's PC. The probability of key compromise is very high under this circumstances. On Tue, Jan 17, 2012 at 6:54 PM, Jeffrey Walton <[email protected]> wrote: > On Tue, Jan 17, 2012 at 12:57 PM, Oleg Gryb <[email protected]> wrote: > > Is self-signed cert a "hard" requirement? It's kind of unusual. In my > > mindset, self-signed certs should be used in pre-prod environments > > only. The whole idea of CA is that everybody knows and trusts them and > > relies on them when something needs to be verified about a less known > > 3-rd party. It makes possible to store few trusted CA in all relying > > apps (e.g. browsers) instead of millions 3-rd parties that you might > > to connect to. > Browsers currently trust over 600 CAs - its a far cry from a few CAs. > How many are on file for a device is another story, as is key usage > enforcement. See "How secure is HTTPS today? How often is it > attacked?", https://www.eff.org/deeplinks/2011/10/how-secure-https-today. > > The EFF has begun tracking and aggregating certificate revocations. > While there were four CA compromises reported in 2011 > (https://www.eff.org/deeplinks/2011/10/how-secure-https-today), the > statistics should become much more meaningful when data is pulled from > aggregated sources such as CRLs and not newspaper reports. > > Trusting a myriad of CAs is about as boring as trusting Wall Street > Bankers. Like the financial crisis of 2008, things are going to get > interesting. > > Jeff > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
